Blog »

Connect2id server 12.5.2 security update addressing Log4j CVE-2021-45046

2021-12-15

The extraordinary attention which Log4j received due to the Log4shell (CVE-2021-44228) vulnerability lead to the discovery of another related, but fortunately somewhat less severe remote code execution exposure in the logging framework. This new issue is described in CVE-2021-45046.

This 12.5.2 release of the Connect2id server ships the Log4j patch for the new CVE, plus several other updates under the hood.

You can find more information in the release notes below.

Download

Standard Connect2id server edition

Apache Tomcat package with Connect2id server 12.5.2: Connect2id-server.zip

SHA-256: 4f254a27ef02dd1f7deffa05f6620b13d8ba00db2871c2c06d0143f4c419e0cd

Connect2id server 12.5.2 WAR package: c2id.war

SHA-256: 544b1259c3040cf970448f59ea0483b815849d94114a3f7e556bf600abe9071d

Multi-tenant edition

Apache Tomcat package with Connect2id server 12.5.2: Connect2id-server-mt.zip

SHA-256: 769fad20d1fda0b80dcd4ebae53f1dff5b0e1b6a9093938bd91898b544f2c01e

Connect2id server 12.5.2 WAR package: c2id-multi-tenant.war

SHA-256: c6882fc8ed2ac88252e95bcf5589a9abffaed3043999504a6a9d1046fff194c7

Questions?

Contact Connect2id support.

Release notes

12.5.2 (2021-12-15)

Resolved issues

  • Updates Log4j to 2.16.0 to address a critical vulnerability described in CVE-2021-45046, see https://cve.mitre.org/cgi-bin/cvename.cgi? name=CVE-2021-45046 (issue server/708).

Dependency changes

  • Updates Log4j to 2.16.0

  • Updates to org.slf4j:slf4j-api:1.7.32

  • Updates to com.google.code.gson:gson:2.8.9

  • Updates to com.google.crypto.tink:tink:1.6.1

  • Updates BouncyCastle to 1.70.

  • Updates to com.unboundid:unboundid-ldapsdk:6.0.3